Mailing List Archive: Needed to whitelist Email.Phishing.RPMSG

Needed to whitelist Email.Phishing.RPMSG_Downloader-10004958-0

Jul 11, 2023, 1:04 PM

Post #1 of 4 (159 views)

Just a heads up, we had a legitimate customer receiving Office 365 secure
emails get hit with this filter.

I'm not sure what the original rule was for, but I'm assuming it was for
phishing emails, but seems to be a bit too loose on the rules to not get
false positives.

Clam team, if you need headers or anything let me know.

Sincerely,

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

Re: Needed to whitelist Email.Phishing.RPMSG_Downloader-10004958-0 [ In reply to ]

clamav-users at lists

Jul 11, 2023, 2:30 PM

Post #2 of 4 (159 views)

Permalink

You can submit FP reports through https://www.clamav.net/reports/fp

Our threat research team has automation in place behind this submission portal to investigate and resolve FP's.

Regards,
Micah

Micah Snyder
ClamAV Development
Talos
Cisco Systems, Inc.
________________________________
From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Eric Tykwinski via clamav-users <clamav-users@lists.clamav.net>
Sent: Tuesday, July 11, 2023 1:04 PM
To: 'ClamAV users ML' <clamav-users@lists.clamav.net>
Cc: Eric Tykwinski <eric-list@truenet.com>
Subject: [clamav-users] Needed to whitelist Email.Phishing.RPMSG_Downloader-10004958-0

Just a heads up, we had a legitimate customer receiving Office 365 secure emails get hit with this filter.

I?m not sure what the original rule was for, but I?m assuming it was for phishing emails, but seems to be a bit too loose on the rules to not get false positives.

Clam team, if you need headers or anything let me know.

Sincerely,

Eric Tykwinski

TrueNet, Inc.

P: 610-429-8300

Re: Needed to whitelist Email.Phishing.RPMSG_Downloader-10004958-0 [ In reply to ]

clamav-users at lists

Jul 11, 2023, 2:43 PM

Post #3 of 4 (159 views)

Permalink

Taken care of… I think it only uploaded the one sample, but I think all three were just test emails send by the MS customer.

Sincerely,

Eric Tykwinski
TrueNet, Inc.
P: 610-429-8300

> On Jul 11, 2023, at 5:30 PM, Micah Snyder (micasnyd) <micasnyd@cisco.com> wrote:
>
> You can submit FP reports through https://www.clamav.net/reports/fp <https://www.clamav.net/reports/fp>
>
> Our threat research team has automation in place behind this submission portal to investigate and resolve FP's.
>
> Regards,
> Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> From: clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of Eric Tykwinski via clamav-users <clamav-users@lists.clamav.net>
> Sent: Tuesday, July 11, 2023 1:04 PM
> To: 'ClamAV users ML' <clamav-users@lists.clamav.net>
> Cc: Eric Tykwinski <eric-list@truenet.com>
> Subject: [clamav-users] Needed to whitelist Email.Phishing.RPMSG_Downloader-10004958-0
>
> Just a heads up, we had a legitimate customer receiving Office 365 secure emails get hit with this filter.
> I’m not sure what the original rule was for, but I’m assuming it was for phishing emails, but seems to be a bit too loose on the rules to not get false positives.
>
> Clam team, if you need headers or anything let me know.
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300

Re: Needed to whitelist Email.Phishing.RPMSG_Downloader-10004958-0 [ In reply to ]

cmarczewski at sourcefire

Jul 17, 2023, 12:15 PM

Post #4 of 4 (151 views)

Permalink

Email.Phishing.RPMSG_Downloader-10004958-0 has been dropped. Thanks for
sending the FP report our way.

On Tue, Jul 11, 2023 at 5:43?PM Eric Tykwinski via clamav-users <
clamav-users@lists.clamav.net> wrote:

> Taken care of… I think it only uploaded the one sample, but I think all
> three were just test emails send by the MS customer.
>
> Sincerely,
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
> On Jul 11, 2023, at 5:30 PM, Micah Snyder (micasnyd) <micasnyd@cisco.com>
> wrote:
>
> You can submit FP reports through https://www.clamav.net/reports/fp
>
> Our threat research team has automation in place behind this submission
> portal to investigate and resolve FP's.
>
> Regards,
> Micah
>
>
> Micah Snyder
> ClamAV Development
> Talos
> Cisco Systems, Inc.
> ------------------------------
> *From:* clamav-users <clamav-users-bounces@lists.clamav.net> on behalf of
> Eric Tykwinski via clamav-users <clamav-users@lists.clamav.net>
> *Sent:* Tuesday, July 11, 2023 1:04 PM
> *To:* 'ClamAV users ML' <clamav-users@lists.clamav.net>
> *Cc:* Eric Tykwinski <eric-list@truenet.com>
> *Subject:* [clamav-users] Needed to whitelist
> Email.Phishing.RPMSG_Downloader-10004958-0
>
> Just a heads up, we had a legitimate customer receiving Office 365 secure
> emails get hit with this filter.
> I’m not sure what the original rule was for, but I’m assuming it was for
> phishing emails, but seems to be a bit too loose on the rules to not get
> false positives.
>
>
> Clam team, if you need headers or anything let me know.
>
>
> Sincerely,
>
>
> Eric Tykwinski
> TrueNet, Inc.
> P: 610-429-8300
>
>
> _______________________________________________
>
> Manage your clamav-users mailing list subscription / unsubscribe:
> https://lists.clamav.net/mailman/listinfo/clamav-users
>
>
> Help us build a comprehensive ClamAV guide:
> https://github.com/Cisco-Talos/clamav-documentation
>
> https://docs.clamav.net/#mailing-lists-and-chat
>

--
Christopher Marczewski
Research Engineer, Talos
Cisco Systems
443-832-2975